Sending SAML Requests
Communication between SAML partner sites involves both generating outbound SAML Requests to partner sites and responding to incoming SAML Requests from partner sites.
The SAML extension server can send SAML Requests to partner sites. This occurs in the SAML browser/Artifact profile when an incoming user from a Trusted Affiliate attempts to authenticate using a SAML Artifact. The SAML extension server must request the corresponding SAML assertion from the referring SAML Trusted Affiliate. This request can be made over mutually authenticated SSL. Figure 94 shows the required interactions for this communication to occur:
Figure 94Required Interactions
In order for the communication to occur, the SAML extension server must have in its Trust Store the SSL Server Certificate of the Trusted Affiliate to whom the request is sent. If SSL with mutual authentication is being used, the Trusted Affiliate must have the SAML extension's SSL Client Certificate in its Trust Store.
If the Trusted Affiliate in this example were an iChain site, the interaction would be as shown in Figure 95:
Figure 95iChain site as the Trusted Affiliate
All traffic intended for the SAML extension server passes through iChain first. Thus, incoming requests creates SSL connections with iChain rather directly with the SAML extension server. This means that in order to establish trust, the Trusted Affiliate site must have the iChain SSL Server certificate in its Trust Store.